TransUnion: US data breach severity hits new high

Despite the volume of U.S. data breaches declining in 2024 from highs reached a year prior, experts said data breach severity reached levels never seen since TransUnion’s measurement began in 2020.
These findings were revealed as part of TransUnion’s H1 2025 Update to the State of Omnichannel Fraud Report.
In 2024, TransUnion reported the number of primary data breaches dipped to 2,577 from 2,842 the year prior, while third-party data breaches fell precipitously to 515 from 2,731 in 2023.
However, experts noticed the severity of those data breaches increased by 34% from one year earlier, with the primary US Breach Risk Score (BRS)1 rising from 4.1 to 5.6 and third party rising from 4.2 to 5.2.
TransUnion explained Breach Risk Score is measured on a 1–10 scale, where 1 represents the least severe and 10 most.
Experts pointed out that a primary data breach represents a direct attack on an organization. Experts added that a third-party data breach, also known as a supply-chain attack, value-chain attack, or backdoor breach, is when an attacker accesses an entity’s network via third-party vendors or suppliers — payroll processing or medical billing, for instance.
The study found that the 2024 U.S. data breaches targeted more high-quality credentials, and consumers reported being targeted by data harvesting scams in every channel, including email, text, phone and online.
TransUnion said exposed identity data enables cybercriminals to power automated, identity-based attacks on organizations and individuals more readily.
“The reversal of the multi-year U.S. data breach growth is certainly a step in the right direction. However, the significant jump in data breach severity is a cause for concern,” said Steve Yin, global head of fraud at TransUnion.
“Breach severity is a leading indicator of future fraud. This year’s growth in severity means organizations must be even more diligent moving forward and work even harder to defend against the oncoming identity fraud attacks such as those in account creations, social engineering scams, and account takeovers,” Yin continued in a news release.
These data breaches played a key role in significant financial losses faced by consumers due to fraud.
Among consumers TransUnion surveyed in 18 countries and regions in November and December, 29% said they lost money due to online, email, phone or text message fraud in the last year.
The report also found that the median amount those consumers said they lost due to fraud in the past year was $1,747.
Communities, which include venues such as online dating and forums, had the highest rate of suspected digital fraud attempts globally in 2024, according to TransUnion.
Experts noticed nearly 12% of all attempted communities transactions were suspected to be digital fraud last year. This is closely followed by video gaming (11%), with gaming (including online betting, poker, etc.) at 8% and retail (8%) rounding out the top four.
TransUnion added that he logistics industry, which has seen growth in shipping fraud (often perpetrated by organized crime rings), saw the greatest suspected digital fraud volume growth globally in 2024, up more than 100% over 2023.
“That being said, the fraud rate remains at a relatively modest 3%,” TransUnion said.
Gaming also saw a significant year-over-year volume change, up 20%. Telecommunications (down 79%), insurance (down 29%) and video gaming (down 23%) saw the greatest decreases in suspected digital fraud volume year-over-year.
“Digital fraud on community platforms is by no means a new phenomenon. However, in 2024, it appears that fraudsters targeted these areas with a renewed vigor,” said Richard Tsai, senior director of global fraud solutions at TransUnion.
“Cybercriminals, taking advantage of the trust inherent on community-based platforms, targeted members with a wide range of scammer solicitations, the most reported type of digital fraud in communities,” Tsai went on to say.